Document doesn't open with multi-tenant / multi-domain setup

mikerhyner 2022-07-27 14:14:51 UTC #1

We have a multi-tenant / multi-domain setup of EGroupware, using separate database per customer/tenant, with e-mail address style usernames (@), using ‘Virtual Mail Manager’ authentication, with IMAP as login backend. So as a result, designates DB instance or “tenant”.

We have (successfully, I assume) activated and configured Collabora Online within Egroupware:

But now, when clicking on a document, following error mesage appears:

As far I understand (when not being wrong…), access from Collabora Online is done by (temporary) document sharing on EGW side, and Collabora Online then accesses the document by its share link.

Log output of collabora-key container:

wsd-00001-00045 2022-07-27 13:54:33.449271 +0000 [ docbroker_004 ] ERR  loading document exception: WOPI::CheckFileInfo failed: Requested resource '/sElG6kecvCOk6YtV1xaIrEeF7dyU7uZX' does NOT exist!
| wsd/DocumentBroker.cpp:2216
wsd-00001-00045 2022-07-27 13:54:33.450772 +0000 [ docbroker_004 ] ERR  Failed to add session to [/egroupware/collabora/index.php/wopi/files/152] with URI [https://groupware.ownspace.ch/egroupware/collabora/index.php/wopi/files/152?access_token=sElG6kecvCOk6YtV1xaIrEeF7dyU7uZX&access_token_ttl=0]: WOPI::CheckFileInfo failed: Requested resource '/sElG6kecvCOk6YtV1xaIrEeF7dyU7uZX' does NOT exist!
| wsd/DocumentBroker.cpp:2178
wsd-00001-00045 2022-07-27 13:54:33.451897 +0000 [ docbroker_004 ] ERR  Storage error while starting session on /egroupware/collabora/index.php/wopi/files/152 for socket #22. Terminating connection. Error: WOPI::CheckFileInfo failed: Requested resource '/sElG6kecvCOk6YtV1xaIrEeF7dyU7uZX' does NOT exist!
| wsd/COOLWSD.cpp:4407

The egroupware server log (shown with /etc/egroupware-docker/egroupware-logs.sh) says:

2022/07/27 13:54:37 [error] 23#23: *69715 FastCGI sent in stderr: "
PHP message: An error happened (EGroupware\Api\Exception\NotFound): Requested resource '/sElG6kecvCOk6YtV1xaIrEeF7dyU7uZX' does NOT exist!

PHP message: File: /api/src/Sharing.php, Line: 399
PHP message: #0 /usr/share/egroupware/api/src/Sharing.php(221): EGroupware\Api\Sharing::share_fail()
PHP message: #1 /usr/share/egroupware/collabora/src/Wopi.php(165): EGroupware\Api\Sharing::check_token()
PHP message: #2 [internal function]: EGroupware\Collabora\Wopi::create_session()
PHP message: #3 /usr/share/egroupware/api/src/Egw.php(314): call_user_func_array()
PHP message: #4 /usr/share/egroupware/api/src/Egw.php(206): EGroupware\Api\Egw->verify_session()
PHP message: #5 /usr/share/egroupware/api/src/Egw.php(69): EGroupware\Api\Egw->setup()
PHP message: #6 /usr/share/egroupware/api/src/loader.php(113): EGroupware\Api\Egw->__construct()
PHP message: #7 /var/lib/egroupware/header.inc.php(159): require_once('/usr/share/egro...')
PHP message: #8 /usr/share/egroupware/collabora/index.php(23): require_once('/var/lib/egroup...')
PHP message: #9 {main}
PHP message: # Instance=default, User=, Request=GET https://groupware.ownspace.ch/egroupware/collabora/index.php/wopi/files/152?access_token=sElG6kecvCOk6YtV1xaIrEeF7dyU7uZX&access_token_ttl=0&permission=edit, User-agent=COOLWSD HTTP Agent 21.11.5.3" while reading response header from upstream, client: 172.19.0.1, server: _, request: "GET /egroupware/collabora/index.php/wopi/files/152?access_token=sElG6kecvCOk6YtV1xaIrEeF7dyU7uZX&access_token_ttl=0&permission=edit HTTP/1.1", upstream: "fastcgi://172.19.0.3:9000", host: "groupware.ownspace.ch"

I even tried to simply share a document by e-mail, and then accessing it (without being logged in to EGW, of course!) by clicking on the link in the e-mail. That also won’t work “out of the box” in our installation, there’s always a HTTP Auth Window popping up, asking me to login with a valid user. Only when I enter ‘anonymous@rhyner-netsys.ch’ as username within the appearing HTTP Auth Window, I can access the shared file!

So I assume, when log in as ‘anonymous’ user, one will log in to the EGW ‘Default’ instance (and thus accessing default ‘egroupware’ database), but the Share (either done with file manager or by using collabora) entry is created within the tenants/customers datebase, and obviously, default ‘egroupware’ instance would know nothing about the recent share…

So, if that’s the case, I propose to add the tenants domain after or within the share link (when not using default “egroupware” instance), and then communicate share link including domain, f.e. with “@domain.tld”, so the Sharing Part of EGroupware can distinguish between tenants and get the share information from the right database. With this, it should be possible to use both sharing feature and Collabora Online editing also with a “multi-tenant” / multi-database setup.

RalfBecker 2022-07-27 14:49:49 UTC #2

Most easy and working way with multi-tenant EGroupware installation is to use (sub-)domains:

Tenant1: https://tenant1.example.org/egroupware/
Tenant2: https://tenant2.example.org/egroupware/
Tenant3: https://egw.tenant3.org/egroupware/

header.inc.php then uses for the above example the domains tenant1.example.org, tenant2.example.org and egw.tenant3.org. The rest happens automatic and users use just a user-name (which can be an email address NOT matching the EGroupware domain-name).

Getting it working via a domain on the username at login, would require changing the EGroupware code in a couple of places …

Ralf

mikerhyner 2022-07-27 15:48:17 UTC #3

Hello Ralf

Thank you for your answer. Would that mean that we can direct every subdomain to the same EGoupware Host ( VM), and also use the same default Virtual Host, which proxies to one and only EGroupware Docker instance, or do we need separate docker instances for every domain/tenant in this scenario? And what should I then confiugure on EGroupware Setup Page for Mail Authentication, specifically for “Mail server login type:” - currently, we use “username@domainname (Virtual Mail Manager)”? Finally, we would really like to continue using E-Mail Account / IMAP login, as this is simplest for customers…

And would it be possible to have a “mix” of both domain distinction methods (subdomain.domain.tld and @ login at the same time) or would we have to “migrate” all other customers away from current login method?

Best Regards,
M. Rhyner